Sunday, June 21, 2009

Security section is very import for web development. Every user get scared if his data is looted from the websites. There are many issues which are related to web security. That’s why we are so concerned with web security. To protect our web application, the first thing is never trust any input. We must escape every inputs properly. Php comes with many escape functions .For input escaping , htmlentities() function converts all applicable characters to HTML entities. It has 4 parameters. The first arguments takes the string to escape. The second argument is the quote style. There are 3 types of styles:1. ENT_COMPAT: this will convert double quotes and leaves the single quotes.2. ENT_QUOTES: this will convert both single and double quotes.3. ENT_NOQUOUTES: this will leave both single and double quotes.The third parameter is the charset. The default is ISO-8859-1 and the fourth parameter is double_encodes. If it is set to off , then php will not encode existing html entities, the default is On.There is a similar function called htmlspecialchars() with the exception is that htmlentities convert all characters and htmlspecialchars encodes only special characters.The translations performed are: • '&' (ampersand) becomes '&' • '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. • ''' (single quote) becomes ''' only when ENT_QUOTES is set. • '• '>' (greater than) becomes '>' This function has the same 4 parameters of htmlentities. These 2 function uses the html translation table. We can find with the function get_html_translation_table.$trans = get_html_translation_table(HTML_ENTITIES);$str = "Hallo & & Krämer";$encoded = strtr($str, $trans);

The functions urlencode and rawurlencode is used for encoding data on the url. This helps to hide any important data from possible attackers. The difference between these 2 is that the first function converts spaces into ‘+’ sign. Urldecode and rawurldecode decodes the encoded data. The encoded data in $_GET and $_REQUEST method automatically decodes data.

Filtering data:So, We must filter any input data before use. There are 2 approaches . 1. Blacklist approach: In this approach, we assume every thing is secure except the some given listed data. If any input matches the given data, we will treat is as tainted. 2. Whitelist approach: This approach assumes that all are tainted except some given data. If a data matches this given data, then we can say this data is safe to proceed.We can use ctype_* and is_* functions for filtering inputs. These functions check whether the given data is our required data type.if (ctype_alpha($_POST[’username’])){$clean[’username’] = $_POST[’username’];}if (ctype_alnum($_POST[’password’])){$clean[’password’] = $_POST[’password’];}$colours = array(’Red’, ’Blue’, ’Yellow’, ’Green’);if (in_array($_POST[’colour’], $colours)){$clean[’colour’] = $_POST[’colour’];}Here we are checking the input data whether they are of specified type. Sometimes client-side javascript validation is not necessary for filtering, as there is one security issue called ‘spoofed form’. We will talk about this later. So, we must not rely on client-side javascript. We need to use server side filtering also.

This is not all about web security in php world. We will focus on the rest later on.